4dd772bd66a77fc6d6f6e95f377b433c5314eda7ab4e042712722cced449d95c

General

Target

5a7d0ce710df3c8e92e481e4a6629189.exe
Size

2.0MB
MD5

5a7d0ce710df3c8e92e481e4a6629189
SHA1

091cdd743e11ab90e3af48c989aabf841a1c6743
SHA256

4dd772bd66a77fc6d6f6e95f377b433c5314eda7ab4e042712722cced449d95c
SHA512

4b3e60eedfce3984ddd6a234e1b967e15cb3752b9093706c28080949a318e34aed5bbb613c681a95903893c6b01d43629ebb028c00079c0ae47153ecead07917
SSDEEP

49152:lh73dG/IgZ0GQ7ai7D3xTgOxYwpKUcm5TJi1Q63i6GQ7ai7D3xTgOxYwpK:ll3dzgZ0D2i7D3xkOxYwpKUcO1IQL6Da

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2728	5a7d0ce710df3c8e92e481e4a6629189.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	5a7d0ce710df3c8e92e481e4a6629189.exe

Loads dropped DLL 1 IoCs

pid	Process
2076	5a7d0ce710df3c8e92e481e4a6629189.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2076-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x000b0000000126e7-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2768	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5a7d0ce710df3c8e92e481e4a6629189.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5a7d0ce710df3c8e92e481e4a6629189.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	5a7d0ce710df3c8e92e481e4a6629189.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	5a7d0ce710df3c8e92e481e4a6629189.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2076	5a7d0ce710df3c8e92e481e4a6629189.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2076	5a7d0ce710df3c8e92e481e4a6629189.exe
2728	5a7d0ce710df3c8e92e481e4a6629189.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2728	2076	5a7d0ce710df3c8e92e481e4a6629189.exe	29
PID 2076 wrote to memory of 2728	2076	5a7d0ce710df3c8e92e481e4a6629189.exe	29
PID 2076 wrote to memory of 2728	2076	5a7d0ce710df3c8e92e481e4a6629189.exe	29
PID 2076 wrote to memory of 2728	2076	5a7d0ce710df3c8e92e481e4a6629189.exe	29
PID 2728 wrote to memory of 2768	2728	5a7d0ce710df3c8e92e481e4a6629189.exe	31
PID 2728 wrote to memory of 2768	2728	5a7d0ce710df3c8e92e481e4a6629189.exe	31
PID 2728 wrote to memory of 2768	2728	5a7d0ce710df3c8e92e481e4a6629189.exe	31
PID 2728 wrote to memory of 2768	2728	5a7d0ce710df3c8e92e481e4a6629189.exe	31
PID 2728 wrote to memory of 2552	2728	5a7d0ce710df3c8e92e481e4a6629189.exe	34
PID 2728 wrote to memory of 2552	2728	5a7d0ce710df3c8e92e481e4a6629189.exe	34
PID 2728 wrote to memory of 2552	2728	5a7d0ce710df3c8e92e481e4a6629189.exe	34
PID 2728 wrote to memory of 2552	2728	5a7d0ce710df3c8e92e481e4a6629189.exe	34
PID 2552 wrote to memory of 2884	2552	cmd.exe	33
PID 2552 wrote to memory of 2884	2552	cmd.exe	33
PID 2552 wrote to memory of 2884	2552	cmd.exe	33
PID 2552 wrote to memory of 2884	2552	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\5a7d0ce710df3c8e92e481e4a6629189.exe
"C:\Users\Admin\AppData\Local\Temp\5a7d0ce710df3c8e92e481e4a6629189.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\5a7d0ce710df3c8e92e481e4a6629189.exe
  C:\Users\Admin\AppData\Local\Temp\5a7d0ce710df3c8e92e481e4a6629189.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5a7d0ce710df3c8e92e481e4a6629189.exe" /TN U5Z8sQiHf24d /F
    3⤵
    - Creates scheduled task(s)
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN U5Z8sQiHf24d > C:\Users\Admin\AppData\Local\Temp\iEcfQH.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN U5Z8sQiHf24d
1⤵
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iEcfQH.xml

Filesize
1KB

MD5
bac449b3af28bde1e3e2e575bdf2f544

SHA1
9691607b63ea1d61dec584504a441dc73fc75464

SHA256
3a64e65b9bf04c676b6d1fbeb8fd68fc04f22be9701de1aab855378069718aac

SHA512
f6c2614fb3fe3e71046b4f1558030a1936c8167c264dfd2112c74679d3e68d592fd44962ee1cb5a0a0b7d3d02433e2260ad692569ec8a8ff0abc2cd87faa9c48

Download Submit
\Users\Admin\AppData\Local\Temp\5a7d0ce710df3c8e92e481e4a6629189.exe

Filesize
2.0MB

MD5
ae2b6aa0ae50c9e4d0acd0767e3b5161

SHA1
06f190b0418638383b922ca0f7aff05289acfe16

SHA256
7cfe2acaafa705b1dffc4eb806e40673326cdb92eeeee30bd298da2ad7b64e5c

SHA512
5355ac743ab994669770abd31002e24119c9eaf9d8aedbdb51f9a6702696c665fc0f68518521428b4f815af3883f16dd0cfcc4c1137f0baa3013ba7a8d7a91d9

Download Submit
memory/2076-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2076-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2076-7-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2076-16-0x0000000023350000-0x00000000235AC000-memory.dmp

Filesize
2.4MB

Download
memory/2076-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2728-19-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2728-21-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2728-31-0x0000000000370000-0x00000000003DB000-memory.dmp

Filesize
428KB

Download
memory/2728-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2728-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads